suidperl less insecure

A pair of exploits in suidperl involving debugging code have been closed.

For new projects the core perl team strongly recommends that you use dedicated, single purpose security tools such as sudo in preference to suidperl.

Optional site customization script

The perl interpreter can be built to allow the use of a site customization script. By default this is not enabled, to be consistent with previous perl releases. To use this, add -Dusesitecustomize to the command line flags when running the Configure script. See also "-f" in perlrun.

Config.pm is now much smaller.

Config.pm is now about 3K rather than 32K, with the infrequently used code and %Config values loaded on demand. This is transparent to the programmer, but means that most code will save parsing and loading 29K of script (for example, code that uses File::Find).

Modules and Pragmata

B upgraded to version 1.09

base upgraded to version 2.07

bignum upgraded to version 0.17

bytes upgraded to version 1.02

Carp upgraded to version 1.04

CGI upgraded to version 3.10

Class::ISA upgraded to version 0.33

Data::Dumper upgraded to version 2.121_02

DB_File upgraded to version 1.811

Devel::PPPort upgraded to version 3.06

Digest upgraded to version 1.10

Encode upgraded to version 2.10

FileCache upgraded to version 1.05

File::Path upgraded to version 1.07

File::Temp upgraded to version 0.16

IO::File upgraded to version 1.11

IO::Socket upgraded to version 1.28

Math::BigInt upgraded to version 1.77

Math::BigRat upgraded to version 0.15

overload upgraded to version 1.03

PathTools upgraded to version 3.05

Pod::HTML upgraded to version 1.0503

Pod::Perldoc upgraded to version 3.14

Pod::LaTeX upgraded to version 0.58

Pod::Parser upgraded to version 1.30

Symbol upgraded to version 1.06

Term::ANSIColor upgraded to version 1.09

Test::Harness upgraded to version 2.48

Test::Simple upgraded to version 0.54

Text::Wrap upgraded to version 2001.09293, to fix a bug when wrap() was called with a non-space separator.

threads::shared upgraded to version 0.93

Time::HiRes upgraded to version 1.66

Time::Local upgraded to version 1.11

Unicode::Normalize upgraded to version 0.32

utf8 upgraded to version 1.05

Win32 upgraded to version 0.24, which provides Win32::GetFileVersion

Utility Changes

find2perl enhancements

find2perl has new options -iname, -path and -ipath.

Performance Enhancements

The internal pointer mapping hash used during ithreads cloning now uses an arena for memory allocation. In tests this reduced ithreads cloning time by about 10%.

Installation and Configuration Improvements

The Win32 "dmake" makefile.mk has been updated to make it compatible with the latest versions of dmake.

PERL_MALLOC, DEBUG_MSTATS, PERL_HASH_SEED_EXPLICIT and NO_HASH_SEED should now work in Win32 makefiles.

Selected Bug Fixes

The socket() function on Win32 has been fixed so that it is able to use transport providers which specify a protocol of 0 (meaning any protocol is allowed) once more. (This was broken in 5.8.6, and typically caused the use of ICMP sockets to fail.)

Another obscure bug involving substr and UTF-8 caused by bad internal offset caching has been identified and fixed.

A bug involving the loading of UTF-8 tables by the regexp engine has been fixed - code such as "\x{100}" =~ /[[:print:]]/ will no longer give corrupt results.

Case conversion operations such as uc on a long Unicode string could exhaust memory. This has been fixed.

index/rindex were buggy for some combinations of Unicode and non-Unicode data. This has been fixed.

read (and presumably sysread) would expose the UTF-8 internals when reading from a byte oriented file handle into a UTF-8 scalar. This has been fixed.

Several pack/unpack bug fixes:

Checksums with b or B formats were broken.

unpack checksums could overflow with the C format.

U0 and C0 are now scoped to ()pack sub-templates.

Counted length prefixes now don't change C0/U0 mode.

packZ0 used to destroy the preceding character.

P/ppack formats used to only recognise literal undef

Using closures with ithreads could cause perl to crash. This was due to failure to correctly lock internal OP structures, and has been fixed.

The return value of close now correctly reflects any file errors that occur while flushing the handle's data, instead of just giving failure if the actual underlying file close operation failed.

not() || 1 used to segfault. not() now behaves like not(0), which was the pre 5.6.0 behaviour.

h2ph has various enhancements to cope with constructs in header files that used to result in incorrect or invalid output.

New or Changed Diagnostics

There is a new taint error, "%ENV is aliased to %s". This error is thrown when taint checks are enabled and when *ENV has been aliased, so that %ENV has no env-magic anymore and hence the environment cannot be verified as taint-free.

The internals of pack and unpack have been updated. All legitimate templates should work as before, but there may be some changes in the error reported for complex failure cases. Any behaviour changes for non-error cases are bugs, and should be reported.

Changed Internals

There has been a fair amount of refactoring of the C source code, partly to make it tidier and more maintainable. The resulting object code and the perl binary may well be smaller than 5.8.6, and hopefully faster in some cases, but apart from this there should be no user-detectable changes.

${^UTF8LOCALE} has been added to give perl space access to PL_utf8locale.

The size of the arenas used to allocate SV heads and most SV bodies can now be changed at compile time. The old size was 1008 bytes, the new default size is 4080 bytes.

Known Problems

Unicode strings returned from overloaded operators can be buggy. This is a long standing bug reported since 5.8.6 was released, but we do not yet have a suitable fix for it.

Platform Specific Problems

On UNICOS, lib/Math/BigInt/t/bigintc.t hangs burning CPU. ext/B/t/bytecode.t and ext/Socket/t/socketpair.t both fail tests. These are unlikely to be resolved, as our valiant UNICOS porter's last Cray is being decommissioned.

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at http://bugs.perl.org. There may also be information at http://www.perl.org, the Perl Home Page.

If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to perlbug@perl.org to be analysed by the Perl porting team. You can browse and search the Perl 5 bugs at http://bugs.perl.org/